Querying user information in Active Directory Users & Computers (dsa.msc) can be a bit slow, there is information not even shown, like the date in which users changed their passwords or the expiration days left.
We can write a little script in Powershell to see the LDAP attributes we need. And the new functionality of out-gridview in Powershell v3, make easier to search the users.
Out-GridView already existed in Powershell v2, and it shown the information in a form instead of the console. That is to say it was good for nothing.
In version v3, they have implemented a new parameter -passthru that allow us to select one or more registries from the form and return them to the script.
Let's see an example:
After selecting a user from the list and press accept, that registry pass to the variable $usuario and we can work on it on the rest of the script.
We can write a little script in Powershell to see the LDAP attributes we need. And the new functionality of out-gridview in Powershell v3, make easier to search the users.
Out-GridView already existed in Powershell v2, and it shown the information in a form instead of the console. That is to say it was good for nothing.
In version v3, they have implemented a new parameter -passthru that allow us to select one or more registries from the form and return them to the script.
Let's see an example:
$strsearch="John"
$searcher = New-Object DirectoryServices.DirectorySearcher([adsi]"")
$searcher.filter = "(&(objectclass=user)(objectcategory=person)(givenname=$strsearch))"
$users = $searcher.findall()
$usuarios=@()
foreach ($user in $users)
{
$usuarios+=new-object PSObject -property @{
givenname=[string]$user.properties.givenname
sn=[string]$user.properties.sn
displayname=[string]$user.properties.displayname
samaccountname=[string]$user.properties.samaccountname
}
}
$usuario=$usuarios|select samaccountname,givenname,sn,displayname|out-gridview -passthru -title "Pick a user"
After selecting a user from the list and press accept, that registry pass to the variable $usuario and we can work on it on the rest of the script.
Function Get-UAC($uac)
{
$flags=@()
if ((2 -band $uac) -ne "0"){$flags+="ACCOUNTDISABLE"}
if ((32 -band $uac) -ne "0"){$flags+="PASSWD_NOTREQD"}
if ((512 -band $uac) -ne "0"){$flags+="NORMAL_ACCOUNT"}
if ((65536 -band $uac) -ne "0"){$flags+="DONT_EXPIRE_PASSWORD"}
return $flags
}
Function expiry-password($PasswordLastChanged, $intMaxPwdAge)
{
$now=get-date
$intTimeInterval = [int32]($now - $PasswordLastChanged).days
If ($intTimeInterval -ge $intMaxPwdAge)
{
$strdays="is EXPIRED"
}
else
{
$ExpiringDate = $PasswordLastChanged.addDays($intMaxPwdAge)
$ExpiringDays = [int32]($ExpiringDate - $now).days
$strdays= "expires in $ExpiringDays days ($ExpiringDate)"
}
return $strdays
}
#### main ####
$SECS_IN_A_DAY=86400
$line= "-" * 60
if ([int32][string]$host.version -lt 3){write-warning "Current Powershell version is $($host.version)`nYou need version 3.0 or higher.";start-sleep -s 4;exit}
do
{
$strsearch=read-host "Username/Surname/mail to search in Active Directory?"
write-host $line -fore yellow
$searcher = New-Object DirectoryServices.DirectorySearcher([adsi]"")
$searcher.filter = "(&(objectclass=user)(objectcategory=person)(|(samaccountname=$strsearch)(mail=$strsearch)(sn=$strsearch*)))"
$users = $searcher.findall()
if ($users.count -eq 0)
{
write-host "$strsearch DOESN'T EXIST" -fore red
}
else
{
if ($users.count -eq 1)
{
$user=$users
}
else
{
$usuarios=@()
foreach ($user in $users)
{
$usuarios+=new-object PSObject -property @{
givenname=[string]$user.properties.givenname
sn=[string]$user.properties.sn
displayname=[string]$user.properties.displayname
samaccountname=[string]$user.properties.samaccountname
}
}
$usuario=$usuarios|select samaccountname,givenname,sn,displayname|out-gridview -passthru -title "Pick a user"
$user=$users|?{$_.properties.samaccountname -eq $usuario.samaccountname}
}
}
}while ($user -eq $null)
write-host "Active Directory Info" -fore black -back magenta
$user=$user.GetDirectoryEntry()
$usuario=$user.samaccountname
if ($user.scriptpath -ne $null){$script=$user.scriptpath}else{$script="$usuario.bat"}
write-host "Username: " -fore cyan -nonewline;write-host $usuario
write-host "UPN: " -fore cyan -nonewline;write-host "$($user.userprincipalname)"
write-host "Name: " -fore cyan -nonewline;write-host "$($user.givenname)"
write-host "Surname: " -fore cyan -nonewline;write-host "$($user.sn)"
write-host "EmployeeType: " -fore cyan -nonewline;write-host "$($user.EmployeeType)"
write-host "Created (mm/dd/yyyy): " -fore cyan -nonewline;write-host "$($user.whenCreated)"
if ($user.mail -ne $null)
{
write-host "Mail: " -fore cyan -nonewline;write-host "$($user.mail)"
if ([string]$user.homeMTA -eq ""){$mailbox="Office 365 (Cloud)"}else{$mailbox="On-premise (Exchange) " + "$($user.homeMdb)".substring(0,19)+"..."}
write-host "mailbox: " -fore cyan -nonewline;write-host "$mailbox"
}
$uac=$user.userAccountControl
$flags=Get-Uac("$uac")
if ($flags -notcontains "DONT_EXPIRE_PASSWORD")
{
$domain = [ADSI]"WinNT://$env:userdomain"
$intMaxPwdAge =($domain.maxpasswordage.value)/$SECS_IN_A_DAY
$PasswordLastChanged =$user.PasswordLastChanged
write-host "Password changed on $PasswordLastChanged" -fore yellow
$strdays=expiry-password $PasswordLastChanged $intMaxPwdAge
write-host "Password $strdays" -fore yellow}
write-host "Distinguishedname: " -fore cyan -nonewline;write-host "$($user.distinguishedname)"
write-host "UserAccountControl Flags:" -fore cyan
$flags
write-host $line -fore yellow
Comments
Post a Comment